asyncrat | 58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6

General

Target

58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Size

35KB
MD5

431ce7e93e9313ebbda1699b82522527
SHA1

9875ec75df23533fed3579de34acc58918a348c1
SHA256

58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6
SHA512

6bc78822500624376940c117daff722e7538e2e77c0c022a9e828231b07b84b9a60ed14ef16143e3bc358ddd7a2e28f3a6c436a4d50fa9fb84f47d540df3e29f
SSDEEP

768:eeBy5oxQY0QDvZtt+cty5ZpyZngfNO+M4aSScy:ew4oxZjz0NkgfNO+MGTy

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2140-30-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2140-28-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2140-25-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2140-22-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2140-20-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 5 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2140-30-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2140-28-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2140-25-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2140-22-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2140-20-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe
2140	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Token: SeDebugPrivilege	2140	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2140	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2800	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	30
PID 2448 wrote to memory of 2800	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	30
PID 2448 wrote to memory of 2800	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	30
PID 2448 wrote to memory of 2800	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	30
PID 2800 wrote to memory of 2724	2800	csc.exe	32
PID 2800 wrote to memory of 2724	2800	csc.exe	32
PID 2800 wrote to memory of 2724	2800	csc.exe	32
PID 2800 wrote to memory of 2724	2800	csc.exe	32
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 2448 wrote to memory of 2140	2448	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33

C:\Users\Admin\AppData\Local\Temp\58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
"C:\Users\Admin\AppData\Local\Temp\58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mr43g5gv\mr43g5gv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49CC.tmp" "c:\Users\Admin\AppData\Local\Temp\mr43g5gv\CSC5D45A84BC7644131A77C77D5B7B0B781.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES49CC.tmp

Filesize
1KB

MD5
f57057f4c2ab56b0fada996aab75ff61

SHA1
c9fa998b78ebd58e83f2e6a1a1f9ce767c22f77b

SHA256
fbd31542a0f0d282600912b6813b47ef371b9ae33ba74b9b816e178bc0b786a5

SHA512
a6d327f0753b3326b0601f4b6504405fdbc23a8e17d21c70c3c36fb444a07b1b6868de6e1826b5d608532f888837a5ba7884057afb4459aa6c8ac45a0a37a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mr43g5gv\mr43g5gv.dll

Filesize
9KB

MD5
74e4474a99c3629e46e6b05bb1016d79

SHA1
066d267c4d664dc91f5a7a70d5d8f836feb3e76f

SHA256
7aa1d946cb42f8886205472f00c4ff981c3b917ba3912eabd80ca0f7d941deff

SHA512
3a72f55359f0407c2e166a165fd4173665b2e799f47758776b921eda965b1ce23149fbf6c24b30c7673b93d0a427afa7b01bd126758f5a2a0791b3d856e15ae6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr43g5gv\CSC5D45A84BC7644131A77C77D5B7B0B781.TMP

Filesize
652B

MD5
e1133f2c22b05abf068a97f699e6d302

SHA1
c7f08df9ba86f954b215ade0269994c791f0bbee

SHA256
4fbcf86ef2ced553e3dfa3b911ae8dcb71715e872d97004850a26f0625fd5530

SHA512
29c6df29f3da4ae4b242d7cdce6766183a856dcdc4c87b282a0d05ac8d9682d58d8d06ae936a655e5ceb0cfbb444ad62ff0d344f5de72b8c3a70fb2158c60a52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr43g5gv\mr43g5gv.0.cs

Filesize
10KB

MD5
f9f6e35df4fa6c35bdf52625d3641105

SHA1
301af598f3f83581217561f3de8c74a3051a0dfd

SHA256
2e555b424b335bb9b7817c1d3ee815650549a90cdd22f4d8235460ecc0a12bbf

SHA512
461ceb488bece4ff2f86382d91b3adab1a02e2f5f3ce1ae222a842f859664c3b4c71b6e7dae986a824eab735e17e38dafd081e252354bdbaf8854ae9a6a72b28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr43g5gv\mr43g5gv.cmdline

Filesize
204B

MD5
7ba58f83e9ff1c57ed16b731a2dea1db

SHA1
197da73460bb7ba4e3c6f823ef6086404d7a5695

SHA256
48ba1931373497700e8fd0a1c9681e8037fcc266c01696320ff1717e9e1075ec

SHA512
59166c68a6c83f1f8b91e1f0555f6480360a8a1c54b189636743aa68e4a2f46bb9d66e093439a09ae7557334b02a0bee243045fc1f6451901e7434a24855151a

Download Submit
memory/2140-28-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2140-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2140-30-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2140-25-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2140-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2140-22-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2140-20-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2140-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2448-5-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2448-1-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/2448-15-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2448-26-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2448-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing